I’ve come to really enjoy going to live soccer games, and late in July my wife got us some great seats to FC Dallas versus the LA Galaxy! We had a great time. We had a designated driver so sampled various micro-brews and cheered for Dallas. They lost but we had a wonderful time.

Because of the gusto with which we sampled the various brews, I never noticed I had lost my phone until the next morning as we prepared to go out of town. I was convinced I had left my phone in our friends car, so we left for several days. They couldn’t find my phone in their car so immediately began resetting my passwords, starting with Google.

If you’ve lost your phone and didn’t have any tracking software on it, you may be aware of tools like Plan B or AndroidLost. After my last factory reset, I forgot to put tracking software back on my phone or even set a lock.

And thus, in my effort to secure my identity and accounts, I had locked myself out of my phone. With a new Google password, I couldn’t go to Google Play and push Plan B or anything to my phone. And Google doesn’t allow you to use old passwords, so I couldn’t set it back.

Sorry, but this would not do. And so – here’s the story of how I reset my Google password back to an old password, found my phone, and got it back.

Lesson 1:

Before you lose your phone, install tracking software. Period. I used AndroidLost. Install it, enable Admin Rights. Scan the QR code you see to get started.

Then, I would encourage you to donate a few bucks to the team that wrote it. You don’t have to, but if you use it to get your phone back, you will anyway. Donating ahead of time will make the software better.

Then go to AndroidLost.com, login with your Google account, and check it out.

You’ll thank me, and AndroidLost, if you have to use this software. AndroidLost doesn’t poll a server but like many other solutions it is managed via SMS and so battery drain and data usage should be minimal. Also, check out Lookout software’s Plan B. It, too, can be a lifesaver.

Dang, I didn’t follow my own Lesson 1, so Lesson 2:

Mine was almost a worst case scenario. I had no security on my phone and have several ancillary accounts are associated with my Google account. My first reaction was to change my password. Which is good until you try and change it back to your old one. Via Google Play, you can install apps like AndroidLost and Plan B to your phone. There’s catch, though, in that you can only do this if its login is still valid or you haven’t changed your Google password. I’d done the later, so my phone was somewhere with no tracking software, no passcode, and no way for me to touch it.

A quick search showed a LOT of people unhappy that Google won’t allow password reuse. More digging uncovered references to 100 remembered passwords. The general consensus in the support forums is “Too bad for you, you should have known better. Better luck next time!” The IT pro in me knows that this is the right approach. It’s just better and more secure that way.

I can’t reuse my old Google password until I change my password 100 more times? Challenge accepted, like a boss.

It’s funny how you go back to the basics when the SHTF. In this case, I retreated to a tools I had used in various capacities for years. VBScript and the spectacular windows automation tool AutoIT. For reference, the editor I use for VBScript is VBSEdit. There are many other editors, but this one is mine. It builds scripts into executables, too.

So, if you’re going to use this you have to install AutoIT. Install it all, including the COM objects. Next, you might be on a 64bit machine and running VBScripts on 64bit machines vs 32bit machines can be kludgy. Start by clicking here if you have issues. Lastly, I use Chrome. It’s really moot, but this script is written to use Chrome.

I make no guarantees that this script will work for you. Use this script at your own risk. If you do not feel comfortable with solving any of the issues I reference here, DO NOT USE THIS. Don’t download it, don’t run it, don’t do anything with it. You could lock yourself out of your Google account. If you are crazy enough to try this, make SURE you have recovery options setup for your Google account and that you can use them.

That being said, here’s the script. Read the comments carefully. Close everything else before running it. Do not touch your computer or move your mouse or click on any windows while this is running. The reason being is this is automating windows and sending keystrokes to the active window (in this case, Chrome). It takes a while to run, so give it time. Run the script from a prompt so when it terminates the output is still visible. I strongly recommend this in case of any problems.

WScript.Echo "This script will reset your google password 100 times so you can use an old password."

””””””””””””””””””””””””””””””””””””””” ‘ You should only edit value after this ”””””””””””””””””””””””””””””””””””””””

‘ Your Google username (email address) sUN = "username@gmail.com"

‘ Replace with the Current password to your google account curPW = "????????"

‘ Replace with the final password you want assigned to the account. The one you want to set the account’s password *back to*. oldPW = "????????"

‘ Is it going to fast? You can slow it down by adjusting this value. ‘ If you set it to 2, it will run twice as slow ‘ So if it is entering data into the wrong fields, try increasing this. ‘ It might help. iSlowConnectionFactor = 1

‘ If your password has a quote in it ("), then use "" in its place. ‘ For example, let’s say your password was ‘ MyPass"word!-55 ‘ ‘ The proper VBScript way to put that into a variable would look like this ‘ curPW = "MyPass""word!-55" ‘ ‘ See Microsoft’s website for more detail

‘ Where is the Chrome executable? Replace this with its location. ‘ Point app to Chrome Manually ‘ An easy way to find this is to right click the Chrome shortcut and copy the value in Target. ‘ Click Start, type Chrome, right click Google Chrome, click Properties, copy *everything* in Target, and put it here.

Function GLogout() ‘ Logs out from google. This is necessary for the password change to take effect. Trust me, I tried to do it without logging out. No luck. WScript.Echo "Logging out" oAutoIt.Send "!d" ‘ this goes to the address bar oAutoIt.Sleep 250 * iSlowConnectionFactor ‘ waits x ms times slow connection oAutoIt.Send "https://www.google.com/accounts/Logout{ENTER}" ‘ This logs out of google. oAutoIt.Sleep 5000 * iSlowConnectionFactor ‘ waits x ms times slow connection

End Function

Basically – the script opens Chrome, logs in as you, and begins to change your password 99 times. It logs in, changes your password, logs out, and repeats. It adds numbers to the end of your current password. After that, it resets the password a final time to the old password.

I created a test Google account to make sure the script ran as I wanted before doing this on my real account. I recommend doing this so you’ll know what to expect. Don’t forget to setup your recovery options on your test account. A handy thing about this is the test account can be the recovery account for your primary account.

One more thing, this script outputs the password is setting the account to. If it is interrupted for any reason you can examine the output to determine what the current password on the account is. You should use the recovery option, but if you are like me and can get into Ready, Fire, Aim mode – check the output for the current password. You can then edit the script, and start it over.

Lesson 2 is where there’s a will, there’s a way; especially if the will stems from paranoia and OCD. Oh, and that yes, it is true: if you change your password 100 times Google will forget your old password and let you use it again.

Lesson 3:

Ok, so your Google password is the same password that your account is set to on your Android phone. I’m writing this in August of 2012. If you are from the future and play has changed, you’ll have to figure it out how to remotely install apps. None of this will take effect until the Phone is on. See Afterthoughts on this, but remember when the phone connects uninstalls will take place but not installs. I had told Play to install PlanB and AndroidLost and when the phone finally came online the apps did not install. This is an important thing to remember.

Verify what is on it. You might want to remove apps that have personal data or information in them. If you use a 3rd party browser and cache passwords, for example. Or the Facebook and Twitter apps. Or maybe the Gmail app.

PlanB will start emailing you it’s best guess as to the location of your phone. The better the signal where it is, the more accurate it will be.

Next, you will want to send SMS (text) messages to your phone. Don’t have another phone? You can use a friends or do what I did.

Head over the Google Voice. Setup an account. With Google Voice, you can send SMS messages. These apps will text you back, acknowledging your commands. See their websites for a list of commands. You can secure the commands to require a pin code or restrict what numbers can text commands to these (Parents, are you listening? With these tools, you can get a GPS location of where your kids are, snap pictures, and record audio.)

Both AndroidLost and PlanB monitor incoming SMS messages for commands. For AndroidLost you have to tell your phone to launch the app. The phone takes it’s ID from your profile (see Dashboard in Afterthoughts) and matches up to your Google login on AndroidLost.com.

From there, via AndroidLost you can turn on the GPS (doesn’t work on all phones), pop up messages, take pictures, record audio, make your phone say things, and all sorts of useful tools to help find your phone. You can kick off an alarm for 30 seconds to find it in the couch cushions. You can also, and this sort of works, start a web server on your phone and retrieve files from your SDCard (if you’re phone is rooted, maybe more?).

No Luck:

I gambled.

If you can’t get your phone back – make sure you call your carrier and kill it. YOU are responsible for any charges to your account made by whoever steals or finds your phone.

I chose to leave my phone active and wait for it to come online. When I lost it, the battery was almost dead. On Sprint, I could see they made one call the day after they found it. It was almost 8 days later before my phone came online again. I think they had to find a charger for it. Either way, do this at your own risk.

No lesson, just a bit of free advice. THINK about the risks before you act or don’t act. Only you know what’s best for you. My decision to not immediately deactivate the phone was risky and some may say stupid. The guy who found it made some international calls and I will have to pay for them. For me, though, it was worth it.

Some afterthoughts

I was texting my phone like a mad man begging the person to reply to my texts so I could get my phone back. I was offering a reward, begging, you name it. (BTW, I don’t recommend you threaten) They never responded. Because they didn’t speak English! Consider using Google translate to text multilingual messages. The guy who found my phone couldn’t speak or read English. Granted, he didn’t ask anyone to translate it, but he also didn’t know I was offering him $100 to let me know where my phone was.

Never go alone to get your phone from a stranger, especially you ladies. The holder of your phone may know quite a bit about you. If the finder will meet you with the phone, meet in a well lit crowded public place. Be careful.

How do you know if your phone is online? Via your Google Dashboard. Login to your Google account, go the dashboard, scroll down to the section titled Android Devices. There, you will see your phone(s) or tablet(s). Click More Data Stored About this Device. In a pop-up window, Google kindly gives you the MEID, Registration Date, and most importantly the Last Activity Seen on. That last bit of information is the last time your phone or tablet was powered on and successfully connected to Google. There’s not guarantee the phone is still on, but if the time stamp is very recent you might get lucky. I did. Remember, though, if you changed your password your phone can’t connect. If it shows only a time, that means the device has connected today. In my case, after 8 days, the phone powered on around 11:45 AM yesterday. I check it about 3 hours later and recovery began in earnest.

Lock your device with a PIN or a Pattern. As a developer, I got lazy having to unlock my phone all the time. Lesson learned.

Install recovery software on your devices ahead of time. It may cost you battery life and maybe a little more data usage, but with EMAIL, online banking, Amazon, and pizza ordering available via your phone it’s important to protect your identity, credit, and savings. If the wrong person had found my phone they could have done a password recovery and gotten who knows what information.

Consider using non-system based email apps. By default, there’s an email client on your phone. You can use this for Gmail, Exchange, you name it, BUT YOU CANNOT REMOTELY REMOVE IT AND ITS DATA VIA GOOGLE PLAY. In my opinion, this is a huge oversight on the part of the carriers / Google / manufacturers. In my instance, I had an Exchange account associated setup on the default mail client on my phone. I used the GMail app for Gmail. Via Google Play, I told my phone to uninstall Gmail and delete all the data. The next time my phone came up it was told by Play to delete Gmail off the phone and all my emails. I couldn’t do this with the system app. So as a thought, always consider using a 3rd party app if the app will have personal or sensitive information within it.

If you get a brand new phone, before you do anything install these apps on the phone and play with them. Learn how to erase your SDCard or remotely lock / unlock your phone. Know what its capabilities are. Make your phone “self destruct” before you do anything with it. A self destruct just wipes all personal data off the phone, or factory resets it. So if it’s a brand new phone, I suspect a factory reset won’t do anything but you should carefully read what each recovery app does and what resetting it may do to your phone.

Consider using something like DropBox or Google Drive to automatically push data from your device to the cloud. For pictures, you might also consider setting up a Google+ account! When you install the Google+ app, you get the option automatically upload your pictures to your G+ profile. They are not shared with anyone by default, but it will save a copy for you. This can be invaluable not only for protecting your files but also for when someone says “Hey, send me copies of the pictures you took at that party!”. If you setup a Google+ account, you can find me at http://inzi.com/plus.

I was lucky, but I didn’t sleep at all last night. If you are here because you lost your phone and are trying to get it back, I feel for you and I hope you get it back.

If this script helped you, perhaps consider tossing me a tip via PayPal. I donated $10 USD to AndroidLost. It’s not much, but after coughing up a reward for my phone I’m eating Tuna and Ramen noodles for the rest of the month.

68 Responses to “How to use an old password on Google or GMail to get your lost Android phone back. (Updated Script 11/18/2014)”

Hi, your article is great but I am uclear on how to run the script. I downloaded AUto IT and I see your script. I copied and pasted the script, made the changes and then tried running it and i got the following error Error: Unterminated String. PLease help me.

Hi this is incredibly useful, but I have one extra problem: I hastily changed my gmail password as soon as my phone was stolen, as you did, but when I tried to change it back, google informed me that the previous password is now considered too weak!! (Google must have tightened up their password regulations after I made that password) So even though I manually changed the password 100 times, when I tried to revert back to my original password, google didn’t allow me to, on the grounds of it being too weak. I don’t suppose you would have any idea what I could do now? It is heartbreaking because my handbag was also stolen and it has things in it which just can’t be replaced

I just tried the script and followed your instructions above It runs but it cannot change the password on the account. There appears to be a problem with where the passwords are entered. The script will start putting the password in the email user name field after one or two loops. I am on Win7 64 and used the modified run and script commands you referenced.

A faster way is maybe to keep the Account window open and change the password while still logged in and without logging out.

This script is a little old, the UI may be changing? Another possibility is the page isn’t updating fast enough.

I think I tried doing it on the Account window and it didn’t work, which is why I had to go through the whole process of logging in and out. The best I can remember, it had something to do with the password being updated consistently when logging out.

Try increases the wait times where you see oAutoIT.Sleep. That is in ms, so try increasing it to 500ms where it is 250, 3500 where it is 2000, and 5000ms where it is 3000.

I’ve updated the script so you can tweak the speed at which it types. What you describe can happen if the page is still loading and the script starts typing.

It’s not smart enough to know to wait for the page to load. Try adjusting the variable iSlowConnectionFactor to something higher than 1.

Maybe 1.5 or even 2 (to wait twice as long before doing anything).

The slower it runs, the more accurate it should be.

One last thing to check is line 109. After it goes to the edit password page, Chrome should autofocus on the “current password” field. It should enter the current password and hit tab twice now; and then enter the new password twice.

1) the issue of “Fail: The specified file was not found.” on line 91, ie the line that tries to access chrome. Put triple quotes around the path on line 74, so for example for XP: ChromeEXE = “””C:\Documents and Settings\Chris\Local Settings\Application Data\Google\Chrome\Application\chrome.exe””” Apparently that escapes out the spaces in the path

BEFORE CONTINUING, MAKE SURE (and TEST it!) that your account recovery info works, in fact I would tell gmail that you have lost your password and make sure you’re able to recover it

2) I hated having to hit OK several times for each password change, so I put an apostrophe (beside the enter key) in front of every line in the script that starts with WScript.Echo . putting the apostrophe comments it out, the danger is if the script fails you’ll have no idea what your current password is, which is why you need to make sure the recovery works before hand

3) With my account, everytime I’d go to the login page it would already know my login name so only my password is needed, but the script would try to put in login AND password. To fix this comment out or delete line 149 and 150

‘oAutoIt.Send un & “{TAB}” ‘oAutoIt.Sleep 250 * iSlowConnectionFactor

to prevent the login name from being put in.

After making those changes it worked, and it went without any human input needed. HOWEVER, for some reason when it came time to set the final password, it screwed up. I used the account recovery to reset my password and then was able to successfully put in the password I wanted. Looking at the code for the 99 tries vs the final try, I think the issue is this:

Line 109: oAutoIt.Send tCurPw & “{TAB}{TAB}”

Line 127: oAutoIt.Send tCurPw & “{TAB}”

So it looks like the final try is missing a tab, but I’m not going to run it all again to try

I copied the script onto the AutoIT SciTE script editor and made the required changes for the email and passwords. I tried to compile it and get the error on line 2 : ‘ versions error: Unterminated String. I get the same error when i run it from the desktop

I clipped the part till the script says Declare variables and objects…but still it showed the same error of unterminated string.

this script does not work. it changes password only one time then it fails entering the new password again. if anyone has an updated version, please share. i’ll have a look myself at the script someday. f#*k you google.

2) remove the entry of the username, as chrome/google stores your user name, every new login, fails as it first tries to enter the username and then the password. effectively only the password is needed. So change the Function GLogin(un, pw) and remove these lines; ‘oAutoIt.Send un & “{TAB}” ‘oAutoIt.Send “{TAB}” ‘oAutoIt.Sleep 250 * iSlowConnectionFactor

3) as my chrome always seems to try to store the passwords, i’ve disabled and cleared the stored passwords function. This is because; 3.1) this screws every follow up login, as the password is already filled, and the script would fill it again 3.2) the pop-up asking if i would like to store the password, screws the automation script as it seems to get the focus.

And a personal preference, i’ve disabled some pop-up’s as it as a little too involved.. I more enjoyed..just lay back and watch…

Google must have changed their log-in screen yet again, because now this is screwing up by inputting the username each time, while Google actually retains the name of the last account that signed in. So the email address is put into the password field, and it eventually gets locked out after doing so 5 or so times.

Amusingly, this actually doesn’t stop the password from being changed, since the next thing it pastes is the password, right into the “old password” field in the “change password” window. Haha.

I’m going to have to figure out how to modify this so it only enters the email address once.

There appears to be an issue with lines 175 and 176. 175 is commented out, and I’m not sure if it’s supposed to be…. Then I believe line 176 is missing a quotation mark around the URL, but I’ve never coded in VB before, let alone worked with AutoIt, so I’m not 100% sure what’s supposed to happen there, especially since the URLs are so similar….

I’ve tried various fixes, to no avail. I’m going to keep futzing around with them though.

Thank you very much for the script. After several fixes it worked for me.

It took me a while to make it work and figure out that I do not need to do anything with AutoIT except for installing it.

Also I had to change line 179 oAutoIt.Send “https://accounts.google.com/ServiceLogin?Email=%22%22{ENTER}” to oAutoIt.Send “https://accounts.google.com/ServiceLogin?Email={ENTER}” because If you go to https://accounts.google.com/ServiceLogin?Email=“”, Google assumes that quotes are a part of your username. And it makes the script unable to solve this. I’ll send a pull request on Github.